Kerio Control brings together next-generation firewall capabilities -- includinga network firewall and router, intrusion detection and prevention (IPS), gatewayanti-virus, VPN, and web content and application filtering. These comprehensivecapabilities and unmatched deployment flexibility make Kerio Control the idealchoice for small and mid-sized businesses."

"Link headquarters to remote users and branch offices securely and easily.Kerioas own VPN tunneling with dead-simple setup requires minimal configuration,and provides a high performance network connection. Or, use industry-standardIPsec/L2TP for connectivity from mobile devices or third-party firewalls.Enable 2-step verification for an extra layer of security on all forms ofremote access."

Source: http://www.kerio.com/products/kerio-control

Business recommendation:------------------------During a quick evaluation of the Kerio Control VPN protocol, it was apparent,that the cryptographic protocol employed exhibited severe design issues.

Generally, SEC Consult strongly recommends to prefer well-established standardcryptographic protocols rather than proprietary protocols wherever possible(e.g. DTLS, IPsec). Due to their widespread use, they generally receive muchgreater attention by experts. Therefore, many design issues with these protocolshave already been detected and mitigated since.

We therefore recommend businesses to switch from Kerio's proprietary VPNprotocol to a standard protocol (Kerio Control e.g. supports IPsec).

Note that no full audit of Kerio Control, Kerio VPN or the cryptographicprotocol has been conducted. In addition to the vulnerabilities describedhere, we already identified critical vulnerabilities in Kerio Control in 2016.Hence we suspect there are more major security deficiencies in the product.We therefore recommend GFI software to greatly increase the efforts towardsproduct security in order to keep customers secure.

We want to explicitly thank GFI for the professional handling of thecommunication during this whole process.

Vulnerability overview/description:-----------------------------------After a TLS connection is established between the Kerio VPN client and theKerio Control appliance and cryptographic keys have been securely transferredover this connection, the data sent through the VPN is transmitted in UDPpackets. Each of these packets is encrypted using Blowfish in CTR mode.

As this mode does not provide data authenticity, encrypted data that is modifiedby an attacker results in predictable modification of the plaintext. Moreprecisely, bits that are flipped in the ciphertext result in the same bits beingflipped in the plaintext after decryption.

Each encrypted UDP datagram contains a simple checksum (the same checksum usedby IPv4). Assuming an attacker knows the plaintext data of a datagram and isable to modify its ciphertext, it is trivial to change parts of the message,e.g. inject content into the encrypted stream, while keeping the resultingchecksum identical.

Proof of concept:-----------------SEC Consult provided a proof of concept exploit script to GFI but it has beenremoved from this advisory in order to give customers more time to upgrade theinfrastructure.

Vulnerable / tested versions:-----------------------------The version 9.2.7 build 2921 was found to be vulnerable. This version was thelatest at the time of discovery and older versions are affected as well.

Vendor contact timeline:------------------------2018-10-17: Creating support case at https://gfisoftware.force.com, asking for security contact2018-10-17: GFI support: Asking to upload advisory to support portal2018-10-19: Uploading advisory2018-10-22: GFI support: Escalated to engineers to further investigate2018-10-25: GFI support acknowledges vulnerability2018-11-08: GFI support: Beta version with patch available (with AES 128)2018-11-09: Asking for release date of the patch2018-11-12: GFI support proposes 2018-12-05 as a release date for the advisory2018-11-19: Confirming 2018-12-05 as release date2018-11-27: GFI releases patched version 9.2.82018-11-30: Asking for version number of the release with the fix2018-12-03: GFI support: version 9.2.8 contains the patch2018-12-05: Public release of the advisory

Solution:---------According to GFI support, both Kerio VPN client and the Kerio Control serversneed to be updated to version 9.2.8 to mitigate this issue. Note that KerioControl still supports the vulnerable protocol for backwards compatibility.According to GFI support, the next version 9.2.9 will drop the support for theold VPN protocol and will only support the new AES-based protocol.

GFI support described a procedure to verify that only patched versions of theclient are connected to the Kerio Control VPN:Quote: 1. Open Kerio Control administrative console 2. Click Status from the left sidebar 3. Click VPN Clients 4. Here you have displayed the list of VPN Clients. If the version column is not visible, right click on the header, select columns and select Version 5. Vulnerable clients are version 9.2.7 or earlier.

Information about the current release can be found here:http://www.kerio.com/support/kerio-control/release-history

About SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. Itensures the continued knowledge gain of SEC Consult in the field of networkand application security to stay ahead of the attacker. The SEC ConsultVulnerability Lab supports high-quality penetration testing and the evaluationof new offensive and defensive technologies for our customers. Hence ourcustomers obtain the most current information about vulnerabilities and validrecommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://www.sec-consult.com/en/contact/index.html~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~